Changing host_permissions array disables extension on update

[nem...@readcube.com]

We are updating our extension to the manifest v3 and we are having now new field in manifest host_permissions. In that array we are having list of all urls of the pages that our extension should support. We did it that way to avoid using "all_urls" permission which was advice for Google to avoid long review times.

Often, when we are updating an extension, we are adding support for some new page, so we need to add new url to host_permissions field. Previously on manifest v2, if I'm not mistaken, just adding new url to the permissions field was not causing extension disable on update. Now with manifest v3, every update of host_permissions array will disable extension for all the users with pretty scary warning (attached).

It doesn't make any sense to me. Should we just switch to "all_urls" instead and have extension disabled on just one update instead on every one? Does "all_urls" permission still cause increased review times even on manifest 3?

[Roberto Oneto]

Start reading this:  https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions

[nem...@readcube.com]

I did in a meantime. Basically it says that every change of `host_permissions` will trigger the warning, which doesn't make any sense to me. So declaring once "all_urls" is "more safe" for users from googles standpoint because it will trigger the warning only on one update.

My question about review time for extensions with "all_urls" permission still stands.

[Roberto Oneto]

You can also use  optional_host_permissions and request user permissions ar runtime.

Basically it says that every change of `host_permissions` will trigger the warning, which doesn't make any sense to me

It seems normal to you that an extension (which could also be your extension) has the ability to collect and transmit data to each endpoint (<all_urls>)? If an extension requires new permissions in the manifest, it is a good thing for a user to be notified about it.

[nem...@readcube.com]

It would make sense maybe if warning is something different then "It can now read and change all your data on all websites" which is simply not true. I have explicitly set websites that it needs permission for, and adding one more website to that list should not tell user that now I can access all websites.

[Roberto Oneto]

The warning message changes depending on what you had before and what you have now (with the new version) in the host_permissions section. If you show us this section in the two versions of your extension we will tell you whether the message (which you posted together with the first message) is correct or not.

[nem...@readcube.com]

Sure, here is the screenshot that shows diff between current store listing (manifest v2) and new one that we are trying to update. What is not seen from the screenshot is this long list of explicitly set urls that we are requiring host permissions for. In new version, that list has one new value: "*://*.getft.io/*". And for that change only, after update, users will get waring that says "It can now read and change all your data on all websites". When I remove that one new website url, no warning is shown on update and extension is remained in enabled state (all tested with update tool)

[Roberto Oneto]

At first sight it'd seem that a message like ""  "It can now read and change all your data on all websites" is unjustified.

Try to run this command in console: chrome.management.getPermissionWarningsByManifest(<your_manifest_as_string>, console.table)

Is it possible that you have a section: "content_scripts" where you declare a script that is injected on all URLs?

When I remove that one new website url, no warning is shown on update and extension is remained in enabled state (all tested with update tool)

It's normal behavior!  The user profile that has installed-updated your extension with those privileges keeps them unless the extension is reinstalled.

[nem...@readcube.com]

Thanks for helping. This is the result of that command:

(index)
Value
0 'Read and change all your data on all websites'

I have only one content script value, and it matches only one url explicitly:

  "content_scripts": [
    {
      "matches": ["https://www.rightfind.com/*"],
      "js": ["/iframeRightfind.js"],
      "all_frames": true,
      "match_about_blank": true
    }
  ],

[Roberto Oneto]

At this point I would no longer know what to suggest..
Maybe someone from the group who is reading ...
Try to relaunch the "getPermissionWarningsByManifest" command by removing "tabs" permission to see if something changes.

There are some  permissions  that trigger certain warnings when come in conjunction with others permissions.

[woxxom]

Judging by the source code, "all sites" permission warning is caused by a host that is a top-level domain, i.e. it can contain any amount of sites for different companies/entities e.g. "*://*.edu.au/*" in your manifest.json and others. You can find them by using a utility or a nodejs package that checks the public suffix list.

[nem...@readcube.com]

wow, thats a great catch, thanks! I will try to remove those and see what happens next.